Upload
jim-brashear
View
500
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Presentation to the Science and Technology Committee of the American Bar Association on legal issues associated with employers enabling employee Bring Your Own Device policies.
Citation preview
1
BYOD Bringing Technology to Work
Sending Data Everywhere
SPEAKER
Jim Brashear is a member of the Bar of the United States Supreme Court, the California Bar Association and the State Bar of Texas. He frequently appears as a public speaker on corporate governance, data security and information technology legal topics.
He currently serves as Programs Co-Chair and Cloud/SaaS Co-Chair for the Association of Corporate Counsel’s Information Technology, Privacy & Electronic Commerce Committee.
He received a Juris Doctorate degree, magna cum laude, from the University of San Diego School of Law, and a Bachelor of Arts degree in political science from the University of California at San Diego.
James F. BrashearGeneral CounselZix Corporation
@jfbrashear
This program is for educational purposes only. The content does not constitute legal advice. No attorney-client relationship is created by your participation.
2
A Leader in Email Data Protection
Committed to innovative, easy-to-use email security
Recognized by Gartner Research as the industry leader in email encryption
Email-specific DLP solution Innovative BYOD solution
3
Zix Corporation
4
AGENDA
• Background• Data (in)Security• Legal Risks• Ethics• Policy Approaches• Technology
Solutions
5
Background
BYOD is part of a larger phenomenon
Individual IT Empowerment6
Devices
Connectivity
Cloud
Social
BIG DATA
CIOs Look for Ways to Marry Social Data with Big Data
Wall Street Journal (July 26, 2013)
CONFLUENCE
8
Mobile Devices are an Essential Part of Modern LifePeople are emotionally attached to their devices
They take them everywhere
Enable work whenever and wherever they go
Work Phone
Personal Phone
It is common for employees to use company-provided devices plus personally-owned devices
This is BYOD
Multiple DevicesAverage U.S. user carries 3 mobile devices
Sophos survey
10
o Improved employee productivity
o Adopting technology at the speed of consumer markets
o Enhanced employee morale
o Attract and retain staff.
o Potential cost savings
o Offloading the management of non-strategic devices from IT
Why BYOD?
Source: Gartner, BYOD The Facts and The Future
Challenges to IT Departments
• Consumerization of IT = Decentralization
• Flood of new devices• Hundreds of thousands of
apps• News ways of sharing data
– Hundreds of social media sites
– Many file sharing websites
12
Data (in)Security
13
“There’s nothing hotter for consumers than tablets and smartphones.
There’s also nothing more terrifying for IT than tablets and smartphones.”
- Mark Fidelman, Forbes Contributor
14
It’s Easy to Understand WhyIT Departments Are Nervous
of employees already use personal devices at work81%
Source: Harris Interactive
of tablet users have disabled auto-lock security91%
of smartphone users have75%
BYOT = Unsecured Data Bridge
In addition to device security, BYOD solutions must address data security, secure connectivity & controlled access
17
Legal Risks
Law Lags Technology
didn’t contemplate
today’s technology
Privacy laws
Going Too Fast?
Supreme Court mired in 19th century communication modes
“Court hasn't really 'gotten to' email”Justice Elena Kagan
19
Challenge for CourtsSupreme Court’s real challenge for the next 50 years will be identifying the fundamental principle underlying constitutional protection and applying it to new issues and new technology Chief Justice John Roberts
Employee Personal Data
Employee consent to remote wipe
• Private photos• Personal documents• Financial information• Medical facts• Accounts and Passwords• Application metadata• Location data
Containerization and mixed use of company-provided apps
Employee Privacy
Rulings differ based on employer policies and practices• Clear notice to employees• Coordinate with workers’ councils
• U.S. federal and state laws
• Non-U.S. laws
Reasonable expectation of privacy?
Employer-provided
City of Ontario v. QuonLazette v. Kulmatycki
BYOD may result in greater expectations of privacy
Social Media Password Laws
Arkansas, California, Colorado, Illinois, Maryland, Michigan, Nevada, New Mexico, Oregon, Utah, Washington• Some include email• Proposed federal law: Social
Networking Online Protection Act of 2012
11 states limit employer access to social media usernames and passwords
Employer monitoring?
23
Discrimination
• Protected categories• Criminal history• Employee non-work
behavior
Graham-Leach-BlileySafeguards Rule• Article 9 of the UCC is, in practice, requiring lenders to
obtain a copy of each client's driver's license before making a loan secured by personal property
• Loan officers sometimes photograph the driver's license with their smartphone and send it by email or SMS to their office
HIPAA Privacy and Security
#1 HIPAA violation is unencrypted data on lost or stolen devices
• $1.5M lost laptop fine• $1.7M lost USB drive fine
PwC Health Research Institute
• Increase in healthcare BYOT• Mobile security one of the top 10 issues hospitals will face
in 2013
Investigations and Legal Holds
FRCP Rule 37(e)failure to preserve • Triggering events• Preservation issues
FRCP Rule 26(b)(1)proportionality• Possession, custody
or control
Stored Communications Act• Restricts access to email and other
communications in electronic storage– Warrant needed to access communication in
electronic storage for 180 days or less
Split of authority on “storage”• Theofel v. Farey-Jones, 359 F.3d 1066 (9th Cir. 2004)• Jennings v. Broome et al., No. 27177, 2012 S.C. LEXIS 204 (S.C. Oct. 10, 2012)• Crispin v. Christian Audigier, Inc., 717 F. Supp. 2d 965 (C.D. Cal. 2010)
Calls to revise 1986 Electronic Communications Privacy Act
Not clear how it applies to today’s electronic communications
Smartphone not a “facility” under SCA• Garcia v. City of Laredo, No. 11-41118 (5th Cir. Dec. 12, 2012)
Key to Protecting Trade Secrets
Take reasonable steps to protect information from improper and unauthorized access or exposure
• Identify and classify confidential information and trade secrets
• Physical and electronic security protocols for limiting access to confidential information
• System to prevent disclosure of confidential information by insiders
Obligations under Non-Disclosure Agreements• Developing standard of care for BYOD data security
Traders allegedly emailed to personal accounts computer code containing employer’s secret high-frequency trading algorithms• One shared the files through Dropbox
BYOT and Trade Secrets
BYOT and Trade Secrets
Employee uploaded source code used to execute high frequency trades and offered it to competitors• NSPA does not criminalize
theft of intangible property
• No economic espionage because code was not a product
United States v. Aleynikov
Employee uploaded files containing step-by-step instructions for assembling medical equipment
– Employer detected him forwarding trade secrets from his work email account to a personal email account
United States v. Agrawal
Email is a major source of data leakage• Cloud file transfer services too
31
Ethics Issues
Lawyers are Targets
“Already making chump-meat of the most sophisticated of computer defenses, hackers are unleashing a new wave of malware on unsuspecting law firms. And among the newest targets are mobile phones and similar portable devices.”
Security
New hacker technology threatens lawyers’ mobile devices Posted Sep 1, 2013 3:10 AM CDTBy Joe Dysart
“We fear that we will have to suffer more very public data breaches before law firms collectively agree to batten down the hatches and put security first.”
Sharon D. Nelson, Sensei Enterprises
Ethics: CompetenceModel Rule 1.1A lawyer shall provide competent representation to a client
A lawyer should keep abreast of the risks associated with
technology
Ethics: Client Confidences
Model Rule 1.6(c)A lawyer shall make reasonable efforts to prevent the inadvertent disclosure of, or unauthorized access to, information relating to the representation of a client
Law Firm Cybersecurity Audits
“Since mobile electronic devices are a likely weak area, one issue is whether confidential information sent to them is encrypted.”
Business of Law
Bank’s new cybersecurity audits catch law firms flat-footedPosted Jun 13, 2013 4:10 PM CDTBy Martha Neil
Under pressure from federal regulators, who are concerned about lax cybersecurity at law firms, the Bank of America Merrill Lynch has begun conducting audits on the law firms it does business with, to verify what they are doing to protect sensitive information.
When to Encrypt
Mandatory Data Protection Law or regulations require encryption or provide a safe
harbor from data breach requirements if data is encrypted
36
Heightened Risk of Interception Lawyers should not use unencrypted communications where there is a
particularly high risk that it may be accessed by unauthorized third parties
Responding to Encrypted Communication Lawyers should reply using equivalent security, because prior emails
often are appended to replies
Highly Sensitive Information Lawyers should not send highly sensitive client
communications unencrypted
37
Policy Approaches
Companies Lack BYOT Policies
of companies have not trained employees on BYOT risks, practices and policies
of businesses that permitted BYOD had no specific security or support policies
71%
80%
Source: ITIC, 2012
Unworkable Policies
Banning BYOT is unrealistic and unworkable
• Only 12% of companies say they have no plans to allow BYOD
Information Week – 2013 State of Mobile Security
Top 10 Banned Apps
Android• Dropbox
• Netflix
• Google+
• Angry Birds
• Google Play Movies & TV
• Google Play Books
• Sugarsync
• Google Play Music
• Google+ Hangouts
iOS• Dropbox
• SugarSync
• BoxNet
• Google Drive
• Pandora
• SkyDrive
• Angry Birds
• HOCCER
• Netflix
#1
Non-Compliance
Employees with high potential for harm are among the most likely to violate security policies
CEB Information Risk Executive Council End-User Awareness Survey, 2009–2012
Policy and training exceptions for senior executives increase risks
of employees admit violating policies designed to prevent breaches and noncompliance
93%
Non-ComplianceProxy work-around for workplace web site ban
Credit: www.labnol.org
43
WHAT THEY DON’T WANT IS:
Company monitoring of their personal activities or restricting the apps they use
Interruption of their calendar, contacts, phone and texting functions
Invasion or deletion of their personal data
Users want flexibility
Companies want safe dataWHAT THEY DON’T WANT IS:
Corporate data distributed on thousands of devices and web sites
Users resorting to personal solutions and other insecure means of maintaining productivity
2/3 of employees don't trust employers with their mobile data and privacy
MobileIron survey
Must Balance Competing Wants
Employers #1 concern is securing corporate data on personal devices
Information Week: 2013 State of Mobile Security Employee Privacy
EnterpriseControl and Security
IndividualEmpowerment and Privacy
45
The Right Balance
Solution should support both perspectives Companies get security,
productive employees and improved morale
Employees get flexibility and privacy
BYOD Guidelines
• NIST Special Publication 800-124Guidelines for Managing the Security of Mobile Devices in the Enterprise
• NIST recommends mitigation measures– Adopt Strong General Policies– Incorporate Mobile Devices In Existing System Threat Models– Develop Multiple Security Strategies– Pre-Production of Security Solutions– Install Secure Baseline Configurations for Company-Issued
Devices– Maintenance and Assessment
47
Technology Solutions
Complete Solutions?
Strategy
Policies
TechnologyTraining
Monitoring
No system can anticipate and control every possible use of new technologies or every form of non-compliance
Trust May Trump Controls• Detailed and strictly
enforced policies may cause employees to “work to rule”
• Describe objectives and give general guidance
Data Loss Prevention
Intercept Outbound Data
Analyze Content
Apply Policies
Notification
Archive
Spectrum of BYOD Solutions
Mobile Device ManagementMobile App ManagementMobile File ManagementSeparate InterfacesContainerizationApp WrappingDesktop VirtualizationApp Virtualization
Enterprise Control
Employee Empowerment
51
Most BYOD approachesare missing the point
MDM & Containerization Assume Data is on the Device
Too Complex Too Expensive Too Invasive For Users Too Difficult To Implement Problem Getting Worse
MDM
The Holy Grail
The holy grail remains full mobile virtualization
– It’s probably a better bet to just keep persistent data off the device in the first place
Information Week: 3 Ways To Virtualize Mobile Devices — And Why You Should Do So
55
o EMAIL NEVER RESIDES ON THE DEVICE
o USERS RETAIN COMPLETE CONTROL
o No monitoring, restrictions or risk of data loss
o FIREWALLING OF PERSONAL DATA
o Limits company liability
o SEAMLESS INTEGRATION WITH NATIVE FUNCTIONS AND UI
o Contacts can be used for phoning and texting
o COMPLIANCE REPORTING
o Because each email is only on the phone while viewed, the number of messages at risk is almost nothing
Email App Virtualization
56
Inside View
TLS
Customer Exchange
Server
TLS
Exchange Web Services
PresentationProtocol
Mobile Device
Hosted serviceor on-site gateway
ZIXONE demo on Apple’s App Store and Google Play
RAM Only
58
Questions